This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication. The STIG recommended state for this setting is: 5 or fewer minutes. Rationale: To prevent 'replay attacks,' the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic. Impact: None - this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to 5 or fewer minutes: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum tolerance for computer clock synchronization Default Value: 5 minutes Additional Information: Microsoft Windows Server 2019 Security Technical Implementation Guide: Version 2, Release 1, Benchmark Date: November 13, 2020 Vul ID: V-205706 Rule ID: SV-205706r569188_rule STIG ID: WN19-DC-000060 Severity: CAT II